CVE-2026-34263Critical
Share link
Anyone with the link can open this vulnerability.
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resu…
CVSS
9.6
Critical
EPSS
0.01
p44
Published
2026-01-01
Updated
2026-01-01
Description
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Tags · CWE
Pre-auth
CWE-459
CWE-459BaseDraft
Incomplete Cleanup
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
https://cwe.mitre.org/data/definitions/459.html →Open in CWE collection →CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: R
Required (R)
Scope
S: C
Changed (C)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.006 · p44
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
No vulnerabilities match your filters.
Related vulnerabilities
External references
https://me.sap.com/notes/3733064@https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html@https://www.decryptiondigest.com/blog/sap-cve-2026-34263-commerce-cloud-rce-s4hana-sqli@https://bdu.fstec.ru/vul/2026-06822https://me.sap.com/notes/3733064@https://url.sap/sapsecuritypatchday